Kickstarter Breached

I usually just use the word password for pretty much everything. Its easy to remember. Sometimes I use my date of birth if it requires numbers.

I'll give you a secret method that I have used in the past, but I have a newer, better, secret'er way.


AAAAA(symbol)BBBBBBC

A= is the first letters of the web address. You can use the last letters (minus the dot com or whatever)
Symbol= Your symbol of choice which is the same symbol you use for everything
B=6 letter word that is the core of all your passwords
C=Alphanumeric code for the type of site, ie 1 for sites that have credit card info, 2 for anything else

An example would be
fort~fuckoff2 (first 4, tilde, personal key, non-shopping site) or keeg%fuckoff2 (same convention, just used last 4 backwards).

All you need to remember is the convention and your personal key "fuckoff", and all your passwords become very easy to remember. If you need to change password due to a breach, just use the last letters instead of the first. If you have to change AGAIN, due to another breach, don't go back to that site because they don't give a shit about your safety.

What jeb said; and a bit of Pete's comment: I use a sync'd password manager and a variety of long passwords (2-factor where available) for anything secure. But for low-risk sites, I'll often build variant passwords with 'known-formula' to let me 'reconstruct' the pw manually if I need to.

But for security, as an IT type with a lot of passwords with 12-15char minimums and as short as 2-week password rotations (at work), it makes for a lot of balls in the air, if you have an aging memory.

So I use the _freeware_ Keypass2 on my home pc, work pc, iphone4s and ipad2, all sync'd with dropbox.

On the IOS devices I use Minikeepass reading the synced kbdx file - not the snappiest method to open the db - esp if you're punching in a long master password, and a 2-factor keyfile spec, to get it open. But it does the job.

For most complex requirements or work, I use LONG 18-20char mixed case, + numbers + punctuation passwords, and Keepass's autotype functions to hot-key enter passwords.
The keepass 'URL in Title Bar' plugin can go a long way to helping you get a 'recognizable' browser title string, for matching the proper entry to the proper page.

Other plugins I like (from the keepass plugins page)
-KeePassFaviconDownloader (dl's an entry's matching icon - speeds up visually id'ing them in your lists)
-KPEntryTemplates - gives you custom entry screens for custom items like credit cards, or in my case, inventorying items at home (ser#'s, make, model, detailed specs on collections of things).
-PronouncePwGen - I don't use this much yet, but it's designed to build more human-readable passwords
-RDCAutoTypeAndTCATO - I use this one for compatibility with mstsc (MS TermServ RDP client, for remoting servers).
-WordSequence (custom-pw-construction-algorithm plugin, supports word lists & custom dictionaries)

Since I have it on my phones & dropbox, I've also taken to leveraging KP's capacity for holding files within an entry; passport & birthcertificates, vaccination-record scan images, , etc, for when traveling, or on my son.

Using a two-factor authentication (with a common-generic-item keyfile), and secure-desktop entry of the master password, *should* make things fairly secure. I'd like it better if I was re-encrypting the sync file on dropbox, but at this point, it's more important that I have the data sync'd than that one extra piece of security.

Also, with all the data breaches these day's I'm becoming a big fan of use of Google Authenticator and Symantec\Verisign VIP Access 2-factor apps on my devices:
GoogleAuth supports, google, facebook, dropbox & microsoft's sites (or any that provides a QR code export).
Symantec supports paypal, ebay, and a range of financial sites.
The above help ensure that, even if someone gets your uid & password, that they still are missing a piece of the puzzle to get logged on.

Would that more sites were actually using 2-factor though...
Well.. and that helpdesks at places like Amazon/Apple etc weren't staffed with idiots that hand out password resets over the phone, like candy...

Sagrilarus wrote: I'm on seven or eight machines and have to keep track of about 50 passwords right now each in a set that can never repeat. I use a black book, as it's the only way to remain sane.

If this is a for-real policy position at a firm, they really need to consider revising, and/or providing a central alternative. Because, hand-written unencrypted records (or the old standard 'magical word .doc of passwords') are suicidally risky. And at the end of the day, their restrictions of secure password tools are in many ways making them _more_ at risk.

Most of the firm's I've worked at, not only permit you to use independent password keepers (or actively look the other way), some had active projects in the pipe to look at *buying* central password-management db apps. It's that important.

One of my prior jobs was at a firm that did US govt work, and wouldn't even permit *any* non-VPN remote email-access at all. They used 2-factor auth on all remote access (s'why they wouldn't do email; it didn't support it smoothly). They also drove 14day password expirations and other ridiculously burdensome options. But they didn't support or provide any centrally-approved means of managing passwords. And Security wasn't concerned about results, just paper policy. The firm also had an IT workforce with ages averaging over 50. Net result of the above combo was that I had coworkers with passwords openly written on cubicle walls...
Completely nuts.

SuperflyTNT wrote: I'll give you a secret method that I have used in the past, but I have a newer, better, secret'er way.


AAAAA(symbol)BBBBBBC

A= is the first letters of the web address. You can use the last letters (minus the dot com or whatever)
Symbol= Your symbol of choice which is the same symbol you use for everything
B=6 letter word that is the core of all your passwords
C=Alphanumeric code for the type of site, ie 1 for sites that have credit card info, 2 for anything else

An example would be
fort~fuckoff2 (first 4, tilde, personal key, non-shopping site) or keeg%fuckoff2 (same convention, just used last 4 backwards).

All you need to remember is the convention and your personal key "fuckoff", and all your passwords become very easy to remember. If you need to change password due to a breach, just use the last letters instead of the first. If you have to change AGAIN, due to another breach, don't go back to that site because they don't give a shit about your safety.

your core word is dangerously accurate for many of my passwords you hacker fuck! hahaha

Mad Dog wrote: I usually just use the word password for pretty much everything. Its easy to remember. Sometimes I use my date of birth if it requires numbers.

I personally like "12345". Easy to remember, and I can use the same password on everything, including my luggage.

Maybe it's just me, but I use an unique password at every site, which is hundreds, and I rarely have a problem remembering any passwords. Like I said, it's the convention you need to remember.

I remember back in my programming days we'd name each module a certain way to ensure that when we did calls to that module, we wouldn't have to look at a hundred filenames to ~hopefully~ remember them, or worse, keep a list.

And Matt, your orders of Viagra and your Fleshlight will be there on Tuesday.

Pete, using your system, is it not a bit insecure as you have actual words as part of your password? Is this not easier to brute force attack then a string of garbage (like Jeb's use of LastPass)?

SuperflyTNT wrote: And Matt, your orders of Viagra and your Fleshlight will be there on Tuesday.

Free party drugs, sweet!

ThirstyMan wrote: Pete, using your system, is it not a bit insecure as you have actual words as part of your password? Is this not easier to brute force attack then a string of garbage (like Jeb's use of LastPass)?

That "Fuckoff" portion of the string doesn't have to be words. It can be anything.

So, FortressAT's password could be FORT!fV<K0ff1